DigiCert PKI Platform

(1)

August 20, 2020

DigiCert

®

_{PKI Platform}

HSM Installation and Configuration for

nShield

(2)

Legal Notice

The product described in this document is provided by DigiCert, Inc. and distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of DigiCert, Inc. and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. DIGICERT, INC. SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The licensed software and documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the licensed software and documentation by the U.S. Government shall be solely in accordance with the terms of this documentation.

DigiCert, Inc.

2801 North Thanksgiving Way, Suite 500 Lehi, UT 84043

(3)

Introduction

This document describes the installation and configuration steps for the nShield Connect HSM that DigiCert PKI Enterprise Gateway and Autoenrollment server uses.

Revision History

No. Date Summary

1. 2019/05/10 Create a new entry

2. 2019/08/30 The algorithm of signature for PKCS#10(CSR) has been changed from SHA1 to SHA256.

3. 2019/11/20 Provider Type changed to 0 as Provider Type is not defined for KSP 4. 2020/03/23 Added support for:

• Strict FIPS 140-2 Level 3 enabled • OCS – 1 of 3 with passphrase for CNG • OCS is set in non-persistent mode 5. 2020/08/20 Removed OCS protection related section.

Supported HSMs

HSM Type Client Version Software Version Firmware Version

nShield Connect HSM 12.50.2 12.50.2 The following is the output of enquiry (or nfdiag) command

nfast server: 2.103.13 module: 3.4.2 nShield Connect HSM •_{Strict FIPS 140-2} Level 3 enabled • Module protection for CSP and CNG 12.50.2 12.50.2 2.61.2

(5)

nShield Connect HSM

nShield Connect is network HSM, which allows you to create a module (Operator Card Sets) to store a key. Security World Software can access the partition of the HSM through secure channel.

Install Security World Software

Extract or mount the iso image.

NOTE: If you try to upgrade the client software, the old version must be uninstalled. After uninstallation, the system requires to reboot the computer.

Even if you uninstall the old version, you do not have to configure the client software again because the HSM has already configured the client.

(6)

Run "setup.exe" as Administrator.

(7)

Select the components and the destination and click Next.

• Select all the components by default. • Change the destination folder if you want. •_{Click Next.}

(8)

Wait for the completion.

(9)

Install nShield PKCS#11and click Next.

(10)

Installation is now complete. Click Finish.

NOTE: After uninstallation, several files of the old software remains at the Program folders under "Programs and Features". You need to manually remove the files for the installation to proceed.

Configure

Security World Software

Add the path of executable file into environment variables.

Prepare to configure the client software.

Each client computer must be configured to use the internal security module of your nShield Connect. There are two methods for achieving this:

• Enrolling the client with the configuration file. • Enrolling the client with command-line utilities. Check if the tool works.

The nethsmenroll command-line utility edits the client hardserver’s configuration file to add the specified nShield Connect. For more information about the options available to use

(11)

with nethsmenroll, read the following section Client configuration utilities, or run the command:

nethsmenroll –help

Obtain the HSM ESN and HKNETI information.

Obtain the following information about the HSM before you set up an RFS for the first time:

•_{The IP Address}

•_{The electronic serial number (ESN)} • The hash of the KNETI key (HKNETI)

The KNETI key authenticates the HSM to clients. It is generated when the HSM is first initialized from factory state.

To retrieve the nShield Connect’s ESN and HKNETI, run the command:

anonkneti <Unit IP>

The example output of the command is as follows;

>anonkneti.exe 10.204.153.52

0401-03E0-D947 18fd6da2186bd778259d31bd63cee09a01b68794

Register the configuration of the client into HSM.

The nethsmenroll command-line utility edits the client hardserver’s configuration file to add the specified nShield Connect.

If you are enrolling the client without a nToken, run the command:

> nethsmenroll [Options] --privileged < Unit IP> < Unit ESN> < Unit KNETI HASH>

An example output is as follows:

> nethsmenroll -p <SERVER-IP> <ESN> <KNETIHASH> OK configuring hardserver's nethsm imports

NOTE: The following is an output of the command if the entry that you want to add already exists.

> nethsmenroll -p 10.204.153.52 0401-03E0-D947 18fd6da2186bd778259d31bd63cee09a01b68794

nethsmenroll: an entry with ESN 0401-03E0-D947 already exists; use `--force' to overwrite it

(12)

Startup config-server.

The config-serverstartup command-line utility automatically edits the [server_startup] section in the local hardserver configuration file in order to enable TCP ports for Java and KeySafe. Any fields for which values are not specified remain unchanged. After making any changes you are prompted to restart the hardserver.

> config-serverstartup [OPTIONS]

Test the installation.

To test the installation and configuration, follow these steps:

• Log in on the client computer as a regular user and open a command window. • Run the command:

> enquiry

A successful enquiry command returns an output of the following form:

Server:

enquiry reply flags none enquiry reply level Six serial number ####-####-#### mode operational version #-#-# speed index ###### rec. queue ####..#### --- version serial #

remote server port #### Module ##:

enquiry reply flags none enquiry reply level Six serial number ####-####-#### mode operational version #-#-# speed index ##### rec. queue ##..### ---

rec. LongJobs queue ## SEE machine type PowerPCELF

supported KML types DSAp1024s160 DSAp3072s256 hardware status O

NOTE: If the enquiry command says that the unit is not found: Restart the client computer.

Re-run the enquiry command. Configure RFS synchronization.

(13)

The remote file system (RFS) contains the master copy of the HSM Security World data for backup purposes. The RFS can be located on either a client or another network-accessible computer where the Security World Software is installed. If the RFS is on a client, the same file structure also contains the configuration files for that client.

C:\Users\Administrator> rfs-sync.exe --setup --no-authenticate <RFS-IP> No current RFS synchronization configuration.

Configuration successfully written; new config details: Using RFS at <RFS-IP>:9004: not authenticating.

C:\Users\Administrator> rfs-sync.exe --update

Starting synchronisation, task ID 5ca6fa8a.32f596d69d1bb3ca Updated (new) card_b5310850ab6c82e1605382c7b68b183cda60d13a_1 Updated (new) card_b5310850ab6c82e1605382c7b68b183cda60d13a_2 Updated (new) card_b5310850ab6c82e1605382c7b68b183cda60d13a_3 ...

Updated (new) module_0401-03E0-D947 Updated (new) module_4711-02E0-D947 Updated (new) world

Finished synchronisation: 53 files updated, 0 committed.

C:\Users\Administrator> rfs-sync -c

Starting synchronisation, task ID 5ca48468.764b879a080c7eca

This client does not have commit permission to the RFS;you must run 'rfs-setup -

-gang-client' on the RFS first.

NOTE: The RFS synchronization port is 9004.

After the setup, the following command must be executed:

(14)

Check status through KeySafe. Run the following command.

C:\Program Files (x86)\nCipher\nfast\bin\ksafe.exe

NOTE: Please find the details of KeySafe in "nShield Connect User Guide for Windows"

Configure HA (High Availability)

For example, there are several hardservers (e.g. Server-A, Server-B). To configure HA, add all the hardservers as follows:

Obtain the HSM ESN and HKNETI information.

To retrieve the nShield Connect’s ESN and HKNETI, run the command:

anonkneti <Unit IP>

The example of output of the command is as follows:

>anonkneti.exe <Server-A IP>

0401-03E0-D947 18fd6da2186bd778259d31bd63cee09a01b68794 >anonkneti.exe <Server-B IP>

4711-02E0-D947 c4405efd401b3719c109cde104832e3eec18376c

(15)

The nethsmenroll command-line utility edits the client hardserver’s configuration file to add the specified nShield Connect.

If you are enrolling the client without an nToken, run the command:

> nethsmenroll [Options] --privileged < Unit IP> < Unit ESN> < Unit KNETI HASH>

The example outputs are as follows;

> nethsmenroll -p <Server-A IP> 0401-03E0-D947 18fd6da2186bd778259d31bd63cee09a01b68794

OK configuring hardserver's nethsm imports > nethsmenroll -p <Server-B IP> 4711-02E0-D947 c4405efd401b3719c109cde104832e3eec18376c

OK configuring hardserver's nethsm imports

Configure CSP (Module protection)

NOTE: Please note that for the deployment of the Autoenrollment Server, you need to Configure CSP.

(16)

On Enable HSM Pool Mode, click Next.

NOTE: Do not select the “Enable HSM Pool Mode for CAPI Providers” checkbox. On Initial setup dialog box, click Next.

NOTE: The first one (Use the existing security world) must be selectable. If not, please check the configuration of module. (eg rfs-sync).

(17)

On Set Module States dialog box, click Next.

(18)

On the Software Installation dialog box, click Next.

(19)

Confirm the CSP Providers for nCipher.

C:\Users\Administrator>certutil -csplist

Provider Name: Microsoft Base Cryptographic Provider v1.0 Provider Type: 1 - PROV_RSA_FULL

Provider Name: Microsoft Base DSS and Diffie-Hellman Cryptographic Provider Provider Type: 13 - PROV_DSS_DH

Provider Name: Microsoft Base DSS Cryptographic Provider Provider Type: 3 - PROV_DSS

Provider Name: Microsoft Base Smart Card Crypto Provider Provider Type: 1 - PROV_RSA_FULL

Provider Name: Microsoft DH SChannel Cryptographic Provider Provider Type: 18 - PROV_DH_SCHANNEL

Provider Name: Microsoft Enhanced Cryptographic Provider v1.0 Provider Type: 1 - PROV_RSA_FULL

Provider Name: Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider

Provider Type: 13 - PROV_DSS_DH

Provider Name: Microsoft Enhanced RSA and AES Cryptographic Provider Provider Type: 24 - PROV_RSA_AES

Provider Name: Microsoft RSA SChannel Cryptographic Provider Provider Type: 12 - PROV_RSA_SCHANNEL

Provider Name: Microsoft Strong Cryptographic Provider Provider Type: 1 - PROV_RSA_FULL

Provider Name: nCipher DSS Signature Cryptographic Provider Provider Type: 3 - PROV_DSS

Provider Name: nCipher Enhanced Cryptographic Provider Provider Type: 1 - PROV_RSA_FULL

Provider Name: nCipher Enhanced DSS and Diffie-Hellman Cryptographic Provider Provider Type: 13 - PROV_DSS_DH

Provider Name: nCipher Enhanced DSS and Diffie-Hellman SChannel Cryptographic Provider

Provider Type: 18 - PROV_DH_SCHANNEL

Provider Name: nCipher Enhanced RSA and AES Cryptographic Provider Provider Type: 24 - PROV_RSA_AES

Provider Name: nCipher Enhanced SChannel Cryptographic Provider Provider Type: 12 - PROV_RSA_SCHANNEL

Provider Name: Microsoft Software Key Storage Provider

(20)

Microsoft Platform Crypto Provider: The device that is required by this cryptographic provider is not ready for use.

Provider Name: Microsoft Smart Card Key Storage Provider CertUtil: -csplist command FAILED: 0x80090030

(-2146893776 NTE_DEVICE_NOT_READY)

CertUtil: The device that is required by this cryptographic provider is not ready for use.

NOTE: You can find the following providers: nCipher DSS Signature Cryptographic Provider nCipher Enhanced Cryptographic Provider

nCipher Enhanced DSS and Diffie-Hellman Cryptographic Provider

nCipher Enhanced DSS and Diffie-Hellman SChannel Cryptographic Provider nCipher Enhanced RSA and AES Cryptographic Provider

nCipher Enhanced SChannel Cryptographic Provider

Configure KSP (Module protection)

NOTE: Please note that for the deployment of the Enterprise Gateway Server, you need to Configure KSP

(21)

Click Next.

On Enable HSM Pool Mode, click Next.

(22)

On Initial setup dialog box, click Next.

NOTE: The first one (Use the existing security world) must be selectable. If not, please check the configuration of the module, for example rfs-sync.

(23)

On Key Protection Setup dialog box, click Next.

(24)

Click Finish.

Confirm the providers for nCipher.

C:\Users\Administrator>cnglist --list-providers Microsoft Key Protection Provider

Microsoft Platform Crypto Provider Microsoft Primitive Provider

Microsoft Smart Card Key Storage Provider Microsoft Software Key Storage Provider Microsoft SSL Protocol Provider

Windows Client Key Protection Provider nCipher Primitive Provider

nCipher Security World Key Storage Provider

NOTE: You can find the following providers: nCipher Primitive Provider

(25)

Generate CSR and Install Certificate (Module protection)

Create the information file for CSR.

a) To generate CSR through certreq.exe through CSP, the ProviderName must be "nCipher Enhanced Cryptographic Provider". The sample of inf file follows:

[Version]

Signature = "$Windows NT$" [NewRequest]

RequestType = PKCS10

ProviderName = "nCipher Enhanced Cryptographic Provider" Subject = "CN=Registration Authority"

KeyContainer = "CSPRA20200316" MachineKeySet = TRUE

KeyAlgorithm = RSA KeyLength = 2048 KeyUsage = 0xf0

b) To generate CSR through certreq.exe through KSP, the ProviderName must be "nCipher Security World Key Storage Provider". The sample of inf file is as follows:

[NewRequest]

KeyUsageProperty = "NCRYPT_ALLOW_ALL_USAGES" RequestType = PKCS10

ProviderName = "nCipher Security World Key Storage Provider" ProviderType = 0

Subject = "CN=Registration Authority" KeyContainer = "KSPRA20190418" MachineKeySet = TRUE HashAlgorithm = SHA256 KeyAlgorithm = RSA KeyLength = 2048 Generate CSR through HSM.

NOTE: <inf-file> is the file created at step #1, <csr-file> is an output file. a) Open command prompt and run the following command:

> certreq -new <inf-file> <csr-file>

b) The CSR file will be generated as follows:

---BEGIN NEW CERTIFICATE REQUEST---

MIIDjzCCAncCAQAwITEfMB0GA1UEAwwWUmVnaXN0cmF0aW9uIEF1dGhvcml0eTCC ....

C610uaqncn6FvLu5pygZYFEVtOanCXNQRRUWiDGWKjHF+10GMh+V5YUur55T4W80 0uwK

(26)

Install a certificate.

a) Open the command prompt (on the folder where the PKCS#7 file exists) and run the following command:

> certreq -accept <issued-cert>

b) Before running the command, the trusted root certificate must be installed. If not, the following error appears.

Certificate Request Processor: A certificate chain could not be built to a trusted root authority. 0x800b010a (-2146762486 CERT_E_CHAINING)

Get RA Certificate in PKI-Manager

The generated CSR (PKCS#10) can be copied and pasted onto the "Get an RA certificate" page on PKI Manager by an authorized PKI Administrator. The resulting RA (PKCS#7) certificate can be saved onto a local folder.

(27)

Click Menu and select Get an RA Certificate.

(28)

The CSR looks like the following. Paste it into the field.